Re: What password manager do you recommend?

[Kristaps Dzonsons]

If you're using keepassxc-browser with chromium in ports (at least for 
7.0), note that the same unveil bits documented for firefox apply:


% tail /etc/chromium/unveil.main 


[snip]
# KeePassXC
/usr/local/bin r
/usr/local/bin/keepassxc-proxy rx

If you don't have the /usr/local/bin unveil, it will not properly detect 
the proxy plugin.  (There's an assertion in the source prior to the exec 
that getcwd must exist, which is invoked in /usr/local/bin.)

Re: cgit about-filter in chroot (httpd + slowcgi)

[Kristaps Dzonsons]

$ cat < my-cgit-filter.c
#include 
int
main(void)
{
 execl("/bin/lowdown", "lowdown", NULL);
return 1;
}
EOF
$ cc my-cgit-filter.c -o my-cgit-filter.c -static


Instead of downloading, recompiling, and installing lowdown; then 
building and installing a program that execs the downloaded lowdown; why 
don't you cut out the first step and call through to the C API installed 
with the lowdown port?  There's a full example in the EXAMPLES section 
of lowdown_file(3).

Re: openrsync crashes when syncing local source and local destination

[Kristaps Dzonsons]

> is it a case that the source and destination directory are the same ?
> ..is that the issue at hand ?

Tom,

Doesn't matter when I try it.

Aaron, I am able to cause a premature exit by running against a source
machine's rsync that doesn't exist.  By default, openrsync will invoke
"rsync".  So if you're running

 % openrsync whatever wherever

It will look for "rsync" on the local computer.  On my machine:

% /usr/bin/openrsync --rsync-path /usr/bin/muppet -v xyzzy/ xyzzy/
io.c:224: error: unexpected end of file
io.c:247: error: io_read_nonblocking
io.c:638: error: io_read_buf
client.c:56: error: io_read_int

Is this the case with you?  You can verify by running:

% /usr/bin/openrsync --rsync-path /usr/bin/openrsync -v xyzzy/ xyzzy/
flist.c:1076: warning: xyzzy/: skipping directory
Transfer starting: 0 files
Transfer complete: 16 B sent, 17 B read, 0 B file size

Of course, if you use -a,

% /usr/bin/openrsync --rsync-path /usr/bin/openrsync -va xyzzy/ xyzzy/
Transfer starting: 64 files
Transfer complete: 16 B sent, 2.3 KB read, 290.6 KB file size

Either way, I'll cook up a patch to have an error message following the
execvp in main.c.

Best,

Kristaps

Re: openrsync crashes when syncing local source and local destination

[Kristaps Dzonsons]

> openrsync crashes when sycning local files.  It was working a few days
> ago but after upgrading current it produces this error.  No files are 
> transferred.
> 
> openrsync -v local-dir/ local-dir/
> 
> /usr/src/usr.bin/rsync/io.c:224: error: unexpected end of file
> /usr/src/usr.bin/rsync/io.c:247: error: io_read_nonblocking
> /usr/src/usr.bin/rsync/io.c:638: error: io_read_buf
> /usr/src/usr.bin/rsync/client.c:56: error: io_read_int
> 
> uname -a
> OpenBSD laptop.home.net 6.5 GENERIC.MP#69 amd64

I can't reproduce this, but I think you've copy and pasted things wrong.
 You were really running openrsync with two directories (the same
directories, mind you) and not -a?  Is there an openrsync.core anywhere
whose backtrace you can get?

Can you run with - and paste your exact invocation?  And again with
--rsync-path openrsync as well?

Also, can you tail /var/log/messages to see if there's anything in there?

make(1) and multiple outputs

[Kristaps Dzonsons]

Short: is there a way to manage multiple outputs from a single command
with OpenBSD's make(1)?

Longer story.  I have a site that generates a few hundred articles using
sblg(1).  Each output article is indexNNN.html, which depends upon every
input indexNNN.xml.  So a change to any indexNNN.xml must result in
rebuilding all indexNNN.html using a single command.

In GNU make, I can use the pattern substring match to effect this:

all: index001.html index002.html

index001%html index002%html: index001.xml index002.xml
sblg -L index001.xml index002.xml

But obviously that's GNU-only.  It is, as a fallback, possible to have
sblg(1) create one output per input and play nice with make(1):

index001.html: index001.xml index002.xml
sblg -C index001.xml index001.xml index002.xml

But with hundreds of articles (each of which depends upon parsing
hundreds of articles), those are a lot of wasted cycles.

I currently just use the GNU make, but I'd rather use only stock
components on the server.  Any thoughts?

Re: Documenting library promises.

[Kristaps Dzonsons]

>> .Sh SANDBOXING
>> On
>> .Ox ,
>> the
>> .Fn khttp_parse
>> function requires the
>> .Qq stdio proc
>> promises to
>> .Xr pledge 2 .
> 
> As long as it is only a single sentence, that could easily go right
> after the description of the individual function in the DESCRIPTION,
> or alternatively at the end of the DESCRIPTION section.  Custom
> sections are not very nice, in particular when they are so short
> that they hardly justify opening a new section in the first place.
> 
> If you really want to describe multiple different sandboxing
> systems, then i guess ".Sh SANDBOXING" after the DESCRIPTION
> might make sense.  I'm not all that sure that describing any other
> system will be possible without going overboard; they are typically
> much too complicated to be summarized without excessive verbosity.
> But you shall no doubt see whether or not it works...

Ingo,

The only reason I suggest a standalone section is that it's easier to
standardise across manpages.  Saying "it should go after the function"
is too open to interpretation.  Moreover, some functions may have
varying promises depending upon function parameters, which will rapidly
eat into space better left to the functions themselves.

How about .Sh RESOURCES?  This would also fit other systems like
Capsicum.  Though in practice, I think we'll find only pledge documented
there.

Best,

Kristaps

Documenting library promises.

[Kristaps Dzonsons]

Hi folks,

Short: what do you recommend for documenting an external library's
pledge(2) requirements?

Longer: https://bsd.network/@florian/99802355448571943

The question raised in this... um... toot?... is which promises are
required by an external library call, in this case khttp_parse(3) in
kcgi.  Sure, we can always just run the program, look in
/var/log/messages for failure, and edit our promises.  But just... no.

In this particular case, I've documented this function's requirements
unofficially here and there---tutorials and such.  But it's not
canonical.  What I'd like is to put these directly into the manpages.

Something like:

.Sh SANDBOXING
On
.Ox ,
the
.Fn khttp_parse
function requires the
.Qq stdio proc
promises to
.Xr pledge 2 .

This encourages developers to use the tightest possible promises.  And
as mdoc(7) is meant not to be system-specific, this might also include
information on, say, .Fx's Capsicum, or maybe whatever Linux uses this
week.  It already has "SECURITY CONSIDERATIONS", but that just doesn't
seem quite right.

Thoughts?

Kristaps

Re: manual assistance

[Kristaps Dzonsons]

>   http://manpages.bsd.lv/
> (a bit dated by now and a bit wordy,
>  but probably still worthwhile)

I would love for somebody conversant in mdoc(7) (and, um, English) take
over this project!

Re: How to generate manpages with sqlite2mdoc?

[Kristaps Dzonsons]

> Hi there,
> 
> I'm trying to create manages for SQLite with sqlite2mdoc
> (https://github.com/kristapsdz/sqlite2mdoc
> ). I followed the
> instructions in README.md and created an executable named
> ``sqlite2mdoc'', but when I executed it, it just hang up.
> 
> I read the source code and tried ``./sqlite2mdoc -v'' to see what's
> happening, but still didn't get any output. Since I'm not familiar
> with C and C libraries, I think I'd better ask here.
> 
> Thanks.

>From the manpage:

"By default, sqlite2mdoc reads from standard input and outputs files
into the current directory."

So try:

mkdir /tmp/output
./sqlite2mdoc -v -p /tmp/output < /usr/local/include/sqlite3.h

Then if you like the output in /tmp/output, do:

doas cp /tmp/output /usr/local/man/man3/
doas makewhatis

So as not to clobber /usr/local, however, I usually have things I've
compiled in /opt or /usr/local/opt.

Best,

Kristaps

Re: Git(Hub) and CVS

[Kristaps Dzonsons]

> I'm guessing the cvs2git version changed in the upgrade and the new version
> generates different commit hashes from the old one.  You can verify this by
> comparing how a known commit shows up on the GitHub UI vs. a git log of a
> recent cvs2git conversion: if the "commit XXX" strings differ, that's
> our culprit.
> 
> If you don't care about preserving the hashes of the old commits on GitHub,
> then what you probably want is `git push --mirror origin`.  It does exactly
> what it sounds like, mirroring the current state of the entire repo to the
> remote.  (Doing this means that people won't be able to git pull without
> --rebase on checkouts of your repository made prior to the cvs2git upgrade,
> and if there are any antediluvian forks of it on GitHub the UI may get
> confused trying to figure out their relation.)
> 
> If you DO care about preserving the commits with the old hashes on GitHub
> then I don't know how to do better than Anton's suggestion, though I think
> you'll still encounter problems with tags... you'd have to take the --tags
> off your push command and come up with some system for pushing new tags
> individually.

Lari,

Modifying the script with "--mirror" as suggested by you and a private
message fixed this for me.  For completeness:

 cd /a/tmp/path
 cvs2git --blobfile=git-blob.dat \
   --dumpfile=git-dump.dat \
   --username=mymail /path/to/REPO
 mkdir $1.git
 cd $1.git
 git init
 cd .git
 git fast-import --export-marks=../../git-marks.dat < ../../git-blob.dat
 git fast-import --import-marks=../../git-marks.dat < ../../git-dump.dat
 git remote add origin https://github.com/account/REPO.git
 cd ..
 git checkout
 git push origin --mirror # This fixed everything.

This worked beautifully.  Thanks again for the help!

Best,

Kristaps

Re: Git(Hub) and CVS

[Kristaps Dzonsons]

>> I know many here are using CVS, and many are also using git, so I wonder
>> if anybody can help me.  On BSD.lv, I push my CVS repositories (kcgi,
>> sblg, etc.) to GitHub from time to time using a cvs2git script.  It goes
>> as follows, shortened and pseudonymised:
>>
>>  REPO=$1  # e.g., kcgi
>>  cd /tmp/cvs2git
>>  cvs2git --blobfile=git-blob.dat \
>>--dumpfile=git-dump.dat \
>>--username=kristaps@me \
>>/path/to/cvsroot/$REPO
>>  mkdir $REPO.git
>>  cd $REPO.git
>>  git init
>>  cd .git
>>  git fast-import \
>>--export-marks=../../git-marks.dat < ../../git-blob.dat
>>  git fast-import \
>>--import-marks=../../git-marks.dat < ../../git-dump.dat
>>  git remote add origin https://github.com/account/$REPO.git
>>  cd ..
>>  git checkout
> 
> Prior pushing, have you tried;
> 
>   $ git fetch
>   $ git branch -u origin/master
>   $ git rebase

Anton,

Thanks for taking a look!  Results of running this after the checkout:

 % git fetch


 ...
 From https://github.com/account/REPO
  * [new branch]  master -> origin/master
 % git branch -u origin/master
 Branch master set up to track remote branch master from origin.
 % git rebase
 First, rewinding head to replay your work on top of it...
 Applying:
 Using index info to reconstruct a base tree...
  [...stuff about white-space...]
 warning: 3 lines add whitespace errors.
 Falling back to patching base and 3-way merge...
 Auto-merging source.c
 CONFLICT (add/add): Merge conflict in source.c
  [...a few more messages like that...]
 error: Failed to merge in the changes.
 Patch failed at 0001
 The copy of the patch that failed is found in: .git/rebase-apply/patch

 When you have resolved this problem, run "git rebase --continue".
 If you prefer to skip this patch, run "git rebase --skip" instead.
 To check out the original branch and stop rebasing, run "git rebase
--abort".

Any further ideas?  I wish I could be more helpful, but my git fu is weak.

Best,

Kristaps

Git(Hub) and CVS

[Kristaps Dzonsons]

I know many here are using CVS, and many are also using git, so I wonder
if anybody can help me.  On BSD.lv, I push my CVS repositories (kcgi,
sblg, etc.) to GitHub from time to time using a cvs2git script.  It goes
as follows, shortened and pseudonymised:

 REPO=$1  # e.g., kcgi
 cd /tmp/cvs2git
 cvs2git --blobfile=git-blob.dat \
   --dumpfile=git-dump.dat \
   --username=kristaps@me \
   /path/to/cvsroot/$REPO
 mkdir $REPO.git
 cd $REPO.git
 git init
 cd .git
 git fast-import \
   --export-marks=../../git-marks.dat < ../../git-blob.dat
 git fast-import \
   --import-marks=../../git-marks.dat < ../../git-dump.dat
 git remote add origin https://github.com/account/$REPO.git
 cd ..
 git checkout
 git push --tags -u origin master

Our repositories are all pretty basic (just tags, no branches), and it's
only me pushing to GitHub, so this works although it's not incremental
and can take a minute or so.  Or I should say it "worked", because since
updating OpenBSD from an embarrassingly old version, it doesn't any
more.  The error given is on the push:

 Compressing objects: 100% (633/633), done.
 Writing objects: 100% (2257/2257), 492.44 KiB | 16.98 MiB/s, done.
 Total 2257 (delta 1624), reused 2257 (delta 1624)
 remote: Resolving deltas: 100% (1624/1624), done.
 To https://github.com/account/REPO.git
  * [new tag] VERSION_0_4_3 -> VERSION_0_4_3
  ! [rejected]master -> master (fetch first)
  ! [rejected]VERSION_0 -> VERSION_0 (already exists)
  ... lots of"rejected" lines...
 error: failed to push some refs to 'https://github.com/account/REPO.git'
 hint: Updates were rejected because the tag already exists in the remote.

Any ideas?  Or does anybody have a process already in place for syncing
CVS to git/GitHub?  I've tried stopping before the "push" and doing all
manner of fetches and such, but nothing works.  I rarely use git, so I'm
really just reaching out in the dark.  The GitHub presence is just to
pick up on a issues and pull requests from folks who are more
comfortable with that interface than e-mail, for which it has worked well.

Thank you,

Kristaps

Re: letsencrypt redux

[Kristaps Dzonsons]

>> It's designed to run on OpenBSD but works crappily on Mac OS X and
>> Linux.  Crappily because both are hostile to good security practises.
>> I'm not going to put any extra effort into these for compatibility.
> 
> I think you already added a lot of compatibility goo. 
> Might have been better if you started with a clean OpenBSD only client.

Joerg,

The only real compat is the ifdef for OpenBSD's pledge and for OSX's
sandbox_init (which is all but useless and can be removed without loss
of functionality), an ifdef for setres[ug]id and sys_signame (for
debugging), and some _GNU_SOURCE for asprintf on Linux (meh).  Since
moving DNS resolution to its own component, dnsproc.c, there's no funny
compat business in terms of programme flow, functionality, or structure.
 In other words, if I were to rebuild it without Linux or Mac, it
wouldn't look different with one exception that will shortly go away
(using setproctitle and err.h instead of having my own dowarnx et al).

Best,

Kristaps

letsencrypt redux

[Kristaps Dzonsons]

A few days ago, there was a thread regarding letsencrypt clients and
their, um, cavalier approach to security.  Since I like my free certs
and I like automation, and I also like not worrying about being owned, I
reckoned I could do better than mystery-meat clients.

 https://github.com/kristapsdz/letskencrypt

This isolates the steps of refreshing a certificate into isolated
processes, each of which is priv-dropped, chrooted, pledged, etc.  The
manpage says it all:

 https://github.com/kristapsdz/letskencrypt/blob/master/letskencrypt.1

It's obviously brand-new, but it works and I thought I'd see if
anybody's interested in looking over the libcrypto bits--if not the
approach in general.  The stuff that has manpages I think I get, but
there's some (e.g., X509v3 extension handling, properly seeding RAND,
calling _free if the ptr is NULL, memory management, ...) that's
undocumented and is just shot in the dark.  Moreover, the answers
offered on OpenSSL mailing lists seem... questionable.

It's designed to run on OpenBSD but works crappily on Mac OS X and
Linux.  Crappily because both are hostile to good security practises.
I'm not going to put any extra effort into these for compatibility.

(Side note: this requires the patch to json-c posted 09/05/2015 to the
ports list.  Or is there a better json parser in C?)

Thoughts?  Letsencrypt experts?

Best,

Kristaps

Re: letsencrypt (Was: Re: TLS now supported on openbsd.org?)

[Kristaps Dzonsons]

>> (By the way, httpd(8) doesn't support SNI yet--what do you use a
>> web server?  I found that apache2's chroot and https combo didn't
>> pass the "can I set this up in less than five minutes" sniff
>> test--I ended up using nginx.)
> 
> OpenBSD httpd :) If you need to serve more than one website over
> HTTPS without SNI, just add the extra domains into the main
> certificate SAN.

Marco,

Great!  I didn't think that was possible---I always thought SAN was used
exclusively for subdomain type things like foo.example.com and
moo.example.com in lieu of wildcards.  I'll look into this--no more nginx!

Best,

Kristaps

letsencrypt (Was: Re: TLS now supported on openbsd.org?)

[Kristaps Dzonsons]

> I dislike the idea.
> 
> For one, it does not stop a MITM by itself.
> 
> In addition, enforced encryption makes it hard to cache and/or use
> proper http proxies with the site.
> 
> Purely informative sites don't need TLS. The user can opt to use TLS
> if he thinks the content he needs to read is somehow sensitive, or
> configure his browser not to use the regular http version if he feels
> like doing that. A pure simple redirect does not add much to security
> unless the user takes extra steps - but if the user takes extra steps
> he does not need a redirect at all.

Huh, it seems obscured faces always come out of the woodwork to smash
using https whenever there's discussion about it.

Regarding letsencrypt, I use it because I'm cheap and lazy and have more
domains than patience.  Unfortunately the client is horrifying.  Here's
how I reconcile my cheapness--I figure others might have a better
solution than this, so please let me know.

(By the way, httpd(8) doesn't support SNI yet--what do you use a web
server?  I found that apache2's chroot and https combo didn't pass the
"can I set this up in less than five minutes" sniff test--I ended up
using nginx.)

(1) download one of the many letsencrypt shell scripts (I couldn't find
any reasonable ones that didn't require bash in a five-minute search), e.g.,

https://github.com/lukas2511/letsencrypt.sh

(2) have a local no-login user that will do nothing but run the
aforementioned script in a cronjob, which in turn keeps the certificates
(owned by that user) up to date;

(2b) configure the user to have access to, say, /var/www/letsencrypt for
the "domain-check" phase and set that in WELLKNOWN, with your web server
alias /.well-known/acme-challenge to that directory, and have the script
keep the certs somewhere in the user's home;

(3) have a doas rule for copying certificate parts from that user's
certificate directory into, say, /etc/ssl/letsencrypt (owned by that
user); or have root do it instead;

(4) have a doas rule to reload the web server;

(5) have a cronjob (or script from a cronjob) for the dedicated user
that runs the letsencrypt script and, if it finishes with success, use
doas to copy the certificate parts out and reload the web server.  I can
share mine if you'd like, but it's just that.

In the end, the /etc/ssl/letsencrypt (certificates) and
/var/www/letsencrypt (domain validation) directories are effectively
owned by the dedicated user, and I assume that they might be filled with
crap if the local account somehow gets pwned.  Can anybody suggest how
to make sure that the certs aren't bogus across cronjob script runs?
Another step between the server reload and copy could check-or-reject to
make sure that the server doesn't try to load bogusly-crafted certs?

Ideally I wouldn't have the letsencrypt actually touch the private keys
at all, or run the web server reload, but directly or indirectly a
change in cert would need to trigger that, and that's at the mercy of
the script anyway.  I just assume anything in those directories is toxic.

Best,

Kristaps

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Kristaps Dzonsons]

FWIW, I use my own http://kristaps.bsd.lv/sblg all the time.  It just
knits together HTML (XML style) articles via a Makefile.  No python or
markdown or any crap.  Not sure if it's in ports yet.  (I think A.
Bentley had one?)

OpenBSD 5.8, -static, and -nopie

[Kristaps Dzonsons]

Hi,

I'm having a strange issue on 5.8 regarding compiling -static binaries.
 In short, unless I specify -nopie for a particular statically-linked
binary, it segfaults.  Am I making a mistake, maybe, in my compilation?

First, uname -a:

OpenBSD xxx 5.8 GENERIC#1170 amd64

All of the packages are up to date.  Usual bsd.rd install process.

The binary in question is linked as follows in the usual case, where
$(OBJS) is a list of .o's and .a's.  All of the -l libraries are from
packages except for -lkcgi and -lkcgijson, which are static libraries.
(I have other -static binaries compiled with these that work just fine.)
 The binary in question is .  The objects
are compiled without any special flags.  Linking...

% cc -L/usr/local/lib -o admin $(OBJS) -lsqlite3 -lkcgi -lkcgijson -lz
-lgmp -lexpat `curl-config --libs` -lintl -liconv -lm

(curl-config --libs => -L/usr/local/lib -lcurl -lidn -lssl -lcrypto
-lssl -lcrypto -lz)

% ldd ./admin
./admin:
StartEnd  Type Open Ref GrpRef Name
19e7ed30 19e7ed72c000 exe  1 0 0 ./admin
19eac365f000 19eac3b36000 rlib 0 1 0 /usr/lib/libsqlite3.so.30.1
19ea1a989000 19ea1ad9e000 rlib 0 2 0 /usr/lib/libz.so.5.0
19ea95ad4000 19ea95f41000 rlib 0 1 0 /usr/local/lib/libgmp.so.9.0
19ea6ff29000 19ea7034e000 rlib 0 1 0 /usr/lib/libexpat.so.11.0
19eaebd87000 19eaec1ea000 rlib 0 1 0 /usr/local/lib/libcurl.so.24.9
19ea4eee4000 19ea4f317000 rlib 0 2 0 /usr/local/lib/libidn.so.17.2
19eadb56f000 19eadb9cf000 rlib 0 2 0 /usr/lib/libssl.so.35.0
19eab1128000 19eab16f8000 rlib 0 3 0 /usr/lib/libcrypto.so.35.0
19ea48539000 19ea48943000 rlib 0 3 0 /usr/local/lib/libintl.so.6.0
19ea02859000 19ea02d57000 rlib 0 4 0 /usr/local/lib/libiconv.so.6.0
19ea8268 19ea82aa8000 rlib 0 1 0 /usr/lib/libm.so.9.0
19eadfa7f000 19eadff59000 rlib 0 1 0 /usr/lib/libc.so.80.1
19ea03e0 19ea03e0 rtld 0 1 0 /usr/libexec/ld.so

If I run the dynamically-linked binary, everything's fine.

Then I try the same, but linking with -static:

% cc -static -L/usr/local/lib -o admin ...

Now,

% ./admin
Segmentation fault (core dumped)

% gdb ./admin
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-unknown-openbsd5.8"...
(gdb) run
Starting program: ./admin

Program received signal SIGSEGV, Segmentation fault.
0x0f92a5b46ced in _dl_boot_bind ()
(gdb) bt
#0  0x0f92a5b46ced in _dl_boot_bind ()
#1  0x0f92a5b468e9 in __start ()
#2  0x in ?? ()

And...

% ktrace -di -t einstuw ./admin
Segmentation fault (core dumped)
% kdump
 29725  EMUL  "native"
 29725 ktrace   NAMI  "./admin"
 29725  EMUL  "native"
 29725 adminPSIG  SIGSEGV SIG_DFL code SEGV_MAPERR<1>
addr=0x8dfcbd00469 trapno=6
 29725 adminNAMI  "admin.core"
 29725 adminCSW  stop kernel
 29725 adminCSW  resume kernel
 29725 adminCSW  stop kernel
 29725 adminCSW  resume kernel

However, if I link with "-static -nopie", everything works fine.  (I
didn't do -fno-pie for the objects, just -nopie after -static.)

I have other binaries that are compiled with `-static' (w/o -nopie) and
they work just fine.  Are one of the packages in the ldd output above
perhaps not compiled with the correct magic?

Best,

Kristaps

Re: davical on openbsd

[Kristaps Dzonsons]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

 If I'd have to deploy a new caldav only server (i.e. no carddav)
 I'd go testing kcaldav (which I've learned about just today,
 thanks, Joerg Jung!): http://kristaps.bsd.lv/kcaldav/

Do note that small version number with kcaldav--it's still very new
and will gain functionality quite rapidly!  I use it for all of my own
stuff, but I only use regular calendaring, not free-busy and advanced
queries and sharing.  (Though I plan on adding support as time goes on.)

If you use Apache, you'll need to add a re-write rule to let through
Digest authentication.  Reyk's httpd(8) works out of the box via
slowcgi(8).  (No FastCGI til kcgi supports it...)

Best,

Kristaps
-BEGIN PGP SIGNATURE-
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJVMQGwAAoJEMT2SUY9XBESMqgQAKREkDWe6V+AMzvnYGxceoTB
z87O0YWaVbdvhNHk/QP4afE9T2JHheKS2346ZGSV4xii0n/c3dwKy0q3BMhHxyGc
F7A0GkvonS+Xmcraj8IttrYwD6JHEfjYpw6uIke9YpODqqinB5PNvtY60NpJa6/E
sM/qQwWAjcuj3UVmHu3J4YJ9XCHX28JqJzaembbt26Lzi8YUS8vuh+/WCuXV8hjL
NML//xZHkKZ5y98n1Dz3XODRsBbtITPjUGt+XocK3f1wlotsj974JMj4ZpePc0sn
kUecpjmRfA26Ca1LenJ0qayZE/UzOpDq/9cSu1A+mnnEhIjREWZYlnmDp5hXCkKR
VgcaFgccWQ8IiAxVKSd/rw70sRUEfhz5DwuFHOiUoj01Vj7AYtPZggwyUsIgGskj
oHjU2tJE1hqPe5u5deN93Q8SoQo+xLd41jnhVK37esqsNPJ9Q22duD0ftcW91+p5
jh2yYH7taOOon2sxmxPT+35omhxp7nbth2teYLw3kB9734zyndgOEKGWQhSVu4kp
OpRmQW66HU7ra2WXc092HIy0LeLHris/oIt4NvSa36EQ8wiWIDYYiEvjDJYkJFCM
RrIaHz99gXZHa/r4yMeHqMImsiKJlzL+fcCxbYhPsibghxph5gqthSCnn41u4qSh
peOylKTWd4Qfvm/k4R6m
=dDMx
-END PGP SIGNATURE-

iPhones and nginx/slowcgi on OpenBSD =5.5

[Kristaps Dzonsons]

Folks,

If anybody's running nginx with slowcgi(8) on or before OpenBSD 5.5 
release, be aware that there's a subtle error (fixed after 5.5) that 
silently discards HTTP headers with some referrers.


Long story: I noticed that cookies POSTed by an iPhone client were lost 
before being passed to a slowcgi(8) script.  Several other HTTP headers 
were also lost (Accept-Language, etc.).  But they were passed through in 
GET calls (and in POST from other systems).  Dumping the request via 
tcpdump(8), I saw that each of the lost headers occured after a monster 
User-Agent string.  In this case,


User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X) 
AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a 
Safari/9537.53


For the GET calls to the CGI via slowcgi(8), this was being invoked 
last, so there was no loss.


I remembered seeing something in plus.html about the following:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/slowcgi/slowcgi.c?rev=1.30;content-type=text%2Fx-cvsweb-markup

florian@ saves the day!  The commit message only mentions QUERY_STRING, 
but as it turns out, it's also relevant to other headers.  And in this 
case, causes silent loss.  So if you're using slowcgi(8), you probably 
want to upgrade...


Best,

Kristaps

Re: mdocml.bsd.lv site down

[Kristaps Dzonsons]

Anyone knows about the mdocml site's status?


Daniel,

I know--the server went AWOL yesterday.  I'm contacting the provider to 
see if they can kick it over... please be patient for another day or two!


Best,

Kristaps

Re: OpenBSD's webpage desing

[Kristaps Dzonsons]

On 27/06/2012 22:53, Matthew Dempsky wrote:

On Wed, Jun 27, 2012 at 1:41 PM, Ted Unangstt...@tedunangst.com  wrote:

Here's something I think would be a *major* improvement.  Fix
magicpoint to export slides in a format better than jpg.


Or extend mandoc to support Comic Sans so it can be used for
presentation slide decks!


The following was brought to you by Dr. J. Beam, Esq.:

http://mdocml.bsd.lv/foo.1.html

(mandoc -Thtml -Ostyle=barf.css mandoc.1 foo.1.html)

Where do manpages come from?

[Kristaps Dzonsons]

Hi (warning: off-topic morning coffee-time message),

Recently, while working on mandoc goodies, it seemed that the many 
Internet accounts of UNIX manpage history were at times inconsistent 
with roff.7:


 http://www.openbsd.org/cgi-bin/cvsweb/src/share/man/man7/roff.7

This resulted in some detective-work to find primary sources.  I figure 
maybe a few others here might be interested in the results:


 http://manpages.bsd.lv/history.html

...Some fun trivia (yes, this is fun--you just don't realise it yet):

 - The grand-father of roff is RUNOFF, written in 1964 by J. Saltzer in 
the MAD language.  Saltzer used RUNOFF to format his MIT doctoral thesis 
proposal.  (Inspired by RUNOFF, B. Kernighan wrote his own port for his 
doctoral thesis at Princeton in 1969.  In Fortran!  Wait... you didn't 
write your own formatter for your thesis?)


 - Most imagine that the first UNIX roff(1) was in C.  It wasn't: it 
was in PDP-11 assembly, written by D. Ritchie.  Even then, in 1971, 
RUNOFF had already been re-written in BCPL, PDP-7 assembly, Fortran, 
CP67/CMS, and GE-635 assembly (the last is speculative).


 - In '91, H. Spencer wrote an roff interpreter in AWK.  Say again: 
AWK.  Damn.


 - Our modern manual sections (my favourite is section 6, although I'm 
yet to beat factor(6)), manpage layout, and man(1) output font style 
descend from the First Edition UNIX Programmer's Manual.  These 
conventions were cooked up by Ken Thompson, inspired by the Multics 
MSPM, itself inspired by CTSS manuals.


 - Robert Morris was supposedly involved in early roff work.  The same 
Robert Morris who later worked for the NSA.  Could this be the REAL 
OpenBSD FBI/NSA/aliens/Berlusconi backdoor?  They can read your MANUALS, 
man; your MANUALS.


Enjoy!

Kristaps

Re: Updating plus.html

[Kristaps Dzonsons]

That said, i don't think having individual developers provide
plus.html entries in addition to commit messages would work -
additional workload, lack of uniform style, and lack of a big
picture pespective.  So it has to be done by one person, or by
a small team.  The ideal person to do it would know all the
technical internals of all parts of the system, have huge
experience in using the system, but be completely unwilling
or unable to write any code in there first place, to not be
distracted from writing and committing code improvements.
Oh well, what a contradictory job ad...  :)

Even if what you are doing is not perfect, having a least something,
in a consistent style and with regular updates, is certainly a
huge improvement, compared to letting plus.html die.


.Dd $Mdocdate$
.Dt PLUS49 7
.Os
.Sh NAME
.Nm plus49
.Nd major changes for OpenBSD 4.9
.Sh DESCRIPTION
This is a partial list of the major machine-independent changes (i.e., 
these are the changes people ask about most often).
Machine specific changes have also been made, and are sometimes 
mentioned in the pages for the specific platforms.

.Bl -enum
.It
Introduced a dummy function in
.Xr ifconfig 8
if SMALL is defined to digest arguments like rdomain, description, 
etc. so that the

.Xr ifconfig 8
on RAMDISK is able to parse
.Xr hostname.if 5
files on updates.
.\ ...

(ducks)

Re: man page sources?

[Kristaps Dzonsons]

On 24/10/2011 11:02, Michal Mazurek wrote:

On Sun, Oct 23, 2011 at 02:14:02PM +0200, Ingo Schwarze wrote:

I committed build system changes to install source manuals
and no longer install formatted manuals from 5.0 onwards.


This is nice, now I can do something like this in /etc/man.conf:
  _build.[1-9n] /usr/bin/mandoc %s

_build.[1-9n] /usr/bin/mandoc -Owidth=`stty size | awk 
'{print $2 - 2}'` %s

to have the manpage fit my display. Especially usefull if I have split
screen in a tiling window manager, and the terminals are smaller than 80
columns.


(Looks like schwarze@ beat me to a reply...)

Neat!  I never thought of that, though I often use -Owidth to embed 
manuals in emails without line-wrapping.  Never really thought of using 
it elsewhere.  mandoc may behave funny when squeezed for space, so as 
schwarze@ said, please mail me if you see aberrant behaviour.


An alternative (which I haven't tried) is to set the manpager to lynx 
-stdin and use mandoc -Thtml as an output mode.  Then lynx can reflow 
the text for you.  It's not possible to do links, however (I leave why 
not as an exercise for the reader).


Take care,

Kristaps

Re: Couple of issues with man pages.

[Kristaps Dzonsons]

On 12/10/2011 19:31, David Walker wrote:

Hey team.

I'm looking at cvs and man pages and stuff.

I notice that two cvs pages - cvs(1) and cvs(5) - don't have SEE ALSO
hyperlinks appearing in cgi ...

http://www.openbsd.org/cgi-bin/man.cgi?query=cvssektion=1manpath=OpenBSD+Current

http://www.openbsd.org/cgi-bin/man.cgi?query=cvssektion=5manpath=OpenBSD+Current

... so I browse mdoc and see this:

Xr
  Link to another manual ...

.Xr name section

  If
  section is followed by non-punctuation, an Ns is inserted into the token
  stream.


Hi David,

cvs(1) and cvs(5) aren't in mdoc(7), but in man(7).  The legacy man(7) 
language doesn't have support for tagging text as a cross-reference. 
What you see is in fact font-modes being used to make the familiar 
bold(bold), e.g., cvs(5).  It's clear by inspection that man.cgi had 
some heuristics for labelling cross-references (some of the curses 
manuals, for example, have linky cross-references), but it's obviously 
not perfect...  mdoc(7) manuals, however, should always be linky.


Tip: you can usually tell straightaway whether a manual is in mdoc(7) or 
man(7) by looking at the header.  If it has the nice volume name as the 
centre of three columns (e.g., OpenBSD Reference Manuals), then it's 
most likely in mdoc(7).


Take care,

Kristaps

Does anybody use deroff(1)?

[Kristaps Dzonsons]

Hi,

I'm curious---does anybody use deroff(1)?  And if so, for what?  I'm 
only interested in contemporary uses unless you have some awesome 
stories.  I guesss I'm curious if it has any particular utility other 
than deroff | spell.  (Does anybody use spell(1), for that matter?)


References:

http://www.openbsd.org/cgi-bin/man.cgi?query=deroffapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html

http://www.openbsd.org/cgi-bin/man.cgi?query=spellapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html

Thanks,

Kristaps

mdoc manuals [OT]

[Kristaps Dzonsons]

Hi,

How many of you want secretly to write or edit manpages but are scared 
away by the language syntax?


How many have needed to write a manual, but just, you know, copied over 
something similar, tweaked some words, and crossed your fingers?


How many can distantly remember searching the web for how to write unix 
manuals and coming up with something by esr?


Or maybe you're infuriated by the relevance of http://xkcd.com/912.

If any of these applies to you, read on.

OpenBSD's mdoc(7) is THE REFERENCE for manpages.  But the material is 
dense owing to mdoc's twisty syntax.  And after all, if you're just 
starting on OpenBSD, or UNIX in general, it takes a bit of research to 
even know mdoc(7) exists.  You didn't learn to write C by reading the 
EBNF, did you?  No.  You used KR's book.


In short, not long after m2k10, I started to write a series of simple 
guides to bridge the gap between How do I? and mdoc(7).  It grew into 
a manuscript, a friendly sort of manuscript.  Then a sad orphaned 
manuscript after being shot down by some publishers.  So I slapped on a 
friendly license and put it on the web.  It's here:


http://manpages.bsd.lv/

And it needs love and care from more than just me.  So if any of the 
above appeals to you, please give it a look, and send your most scathing 
criticism.  It is NOT intended to replace mdoc(7)!  But instead educate 
what can't really be explained in a manual: conventions, nits, tools, 
and so on.  And it's very, very much a work in progress.


I marked this mail off-topic because it's not exactly an OpenBSD topic, 
although the topic of manuals---OpenBSD's are the finest---is quite 
relevant to anybody who has run man.  And the more knowledge of mdoc, 
the better the manuals.  But I do apologise if this is all in 
frightfully bad form.


Thoughts?

Kristaps

Re: Jail-System for OpenBSD

[Kristaps Dzonsons]

I think the question is not new but I only found an old talk for version
3.x, so I want to ask again:

Is there anything comparable to FreeBSD jails (now)?

I found sysjail but I am not sure, if it is working under 4.9 (maybe I
will try it in the next few days):
http://richizo.wordpress.com/2008/12/31/jailing-openbsd-in-5-steps/


I haven't touched sysjail since 4.3 and nobody's sent patches to update 
it since then (though some hot air's been blown around).  The linked 
tutorial is also wrong: it just copies around some ifdefs instead of 
actually making sure nothing's changed between versions.  Bad.  Please 
contact me off-list if you're SERIOUS about maintaining sysjail between 
versions (no patches = don't bother).  Of course, this won't change that 
sysjail is breakable (and, note significantly, NOT part of OpenBSD proper).


Kristaps.

Re: Jail-System for OpenBSD

[Kristaps Dzonsons]

There's chroot of course. Jail itself has issues and some of them are
described eg. here http://www.youtube.com/watch?v=JaVnNllZxn4


(Note I've also not put any work into mult, sadly.  All of my hacking 
time's pushed into mandoc sweet-sweet-sweetness.)  (Yeah, that's me in 
the presentation.)

Re: OT: Seems OpenBSD isn't absolutely alone in it's quest, atleast on embedded systems.

[Kristaps Dzonsons]

Here's a helpful start:

http://www.unlambda.com/lisp/mit.page

Enjoy!

Re: GCC manpage glitch

[Kristaps Dzonsons]

 Stuff like \s0 or \s12 may not be documented in the GNU troff manuals -
 i did not check - but the Nroff/Troff User's Manual by Ossanna,
 Kernighan, and Ritter, available as part of the Heirloom Documentation
 Tools, see http://heirloom.sourceforge.net/doctools.html
 does document it:
 
   Alternatively the point size may be changed between any two
characters by imbedding a \sN at the desired point to set the
size to N, or a \sB1N (1=N=8) to increment/decrement the size
by N; \s0 restores the previous size.  (section 2.3)
 
 Oh, and by the way,
 
   \s39  appears to be equivalent to  \s'36', while
   \s40  appears to be equivalent to  \s'4'0 -
 
 that is, in the letter case, the character '0' appears
 in the output stream, in font size 4pt!
 
 But i'm not sure we really need to extend quirk-compatibility
 down to that level of ugliness.  Looks like somebody applied the
 principle of biggest surprise when designing this.

I procrastinated this morning with a numeric subexpression filter, but
it's clear this won't end with super-pretty results.  For example,

.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
^^^^

The I is removed in troff -Tascii due to the subsequent \h (with -Tps,
it renders).  I don't think mandoc should be going down this rabbithole:
even with a subexpression parser, which shouldn't be /too/ difficult, it
would need full \h intelligence, and thus numeric calculations, to
format this properly.

Take the pod2man preamble's documentation to heart:

.\ Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\ Fear.  Run.  Save yourself.  No user-serviceable parts.
.\ fudge factors for nroff and troff

Really?  In production code?  Thanks.

Furthermore, as you can see in the \h'-\w'I'u*3/5', the subexpression
needn't even be parenthesised.

I think the least complicated measure is to teach mandoc to have numeric
subexpressions, i.e., only for \s, \h, \v, and \w.  The more pod2man we
can handle, the better.

Or better yet, maybe somebody wants to tackle a pod2mdoc? :-)

Kristaps

Re: GCC manpage glitch

[Kristaps Dzonsons]

The gcc manpage contains some weird glitches, for instance :
(usually Cv'-.1v'h'-1p'+h'-1p'+v'.1v'h'-1p')

I tracked it down to (usually \*(C+) in the man page's source.
However, I'm not a *roff expert so I don't know where to look, so I
just let you know.


Hi Thomas,

Good catch.  For any roff people, the culprit was

.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'

The \v and \h escapes weren't being properly handled in mandoc (vertical 
positioning... ugh), nor was a missing sign in \s.


Thanks,

Kristaps

Re: mandoc issue?

[Kristaps Dzonsons]

 hi there,
 
 $ perldoc perllol (or man perllol)
 ...
An array of an array is just a regular old array c...@aoa
that you can get at with two subscripts, like
CW$AoA[3][2]. Here's a declaration of the array:
 ...
 
 expected:
 
An array of an array is just a regular old array @AoA that
you can get at with two subscripts, like $AoA[3][2].
Here's a declaration of the array:

Looks like I have to fit in support for the CW font escape... thanks for
pointing this out!  If you find other issues, please let me or Ingo know
directly.

Thanks again,

Kristaps

Re: cat1/sh.0: formatting problem

[Kristaps Dzonsons]

ok, here's something that doesn't look right (hmm, I should
probably file a bug?)



you don;t need to open bug reports for this stuff - just let us know. in
this case it looks like the Pf macro is misbehaving. i've mailed
kristaps and ingo to let them know.


Hi Claus -- good catch!

The `Pf' macro is stated as being non-callable in mdoc.samples(7) (which 
mandoc(1) uses as its basis); however, a quick test shows that this is 
incorrect: .Fl Pf a b results in -ab.  I'll lift the restriction on 
`Pf's non-callability, which will fix this issue.


Thanks again,

Kristaps

Re: systrace/sysjail wrappers security

[Kristaps Dzonsons]

 I am using sysjail, so I am very interested how to mitigate attacks or
 is there anything OpenBSD could change to mitigate these issues?

Until the kernel wrapper issues have been addressed, the sysjail
page has been updated to indicate that it SHOULD NOT be used 
(nor should any systrace(4) system, which, to the best of my
knowledge, is only systrace(1) and Xsystrace(1)).